Apple Policy on Bugs May Explain Why Hackers Would Help F.B.I.

SAN FRANCISCO — After a third party went to the F.B.I. with claims of being able to unlock an iPhone, many in the security industry said they were not surprised that the third party did not go to Apple.

For all the steps Apple has taken to encrypt customers’ communications and its rhetoric around customer privacy, security experts said the company was still doing less than many competitors to seal up its systems from hackers. And when hackers do find flaws in Apple’s code, they have little incentive to turn them over to the company for fixing.

Google, Microsoft, Facebook, Twitter, Mozilla and many other tech companies all pay outside hackers who turn over bugs in their products and systems. Uber began a new bug bounty program on Tuesday. Google has paid outside hackers more than $6 million since it announced a bug bounty program in 2010, and the company last week doubled its top reward to $100,000 for anyone who can break into its Chromebook.

Apple, which has had relatively strong security over the years, has been open about how security is a never-ending cat-and-mouse game and how it is unwilling to engage in a financial arms race to pay for code exploits.

The company has yet to give hackers anything more than a gold star. When hackers do turn over serious flaws in its products, they may see their name listed on the company’s website — but that is it. That is a far cry from what hackers can expect if they sell an Apple flaw on the thriving underground market where a growing number of companies and government agencies are willing to pay hackers handsomely.

The disclosure by the United States government on Monday that an unknown third party had approached it — and not Apple — to help open a controversial iPhone only highlights how the giant company approaches bug-hunting efforts and security differently from the rest of the tech industry.

But security experts, especially those with a stake in such bug programs, said Apple could now be doing more, especially in this day and age where the conventions of finding bugs and fixing them have changed.

Just this week, researchers at Johns Hopkins University uncovered a flaw that would allow attackers to decrypt the contents of photos and videos attached in Apple’s iMessage program. The researchers turned that flaw over to Apple for patching.

“Especially with the stakes being as high as they are, if Apple wants to continue to compete in the modern world, they have to modernize their approach,” said Katie Moussouris, a chief policy officer at HackerOne, which companies like Yahoo, Dropbox and now Uber pay to manage their bug bounty programs.

The identity of the third party that approached the F.B.I. with the possible way to unlock the iPhone — which was used by one of the attackers in a mass shooting in San Bernardino, Calif., last year — remained unknown on Tuesday. The emergence of the third party halted, at least temporarily, a contentious case between Apple and the United States government over whether the company should weaken the security of its iPhone to help law enforcement.

The Justice Department has declined to name the third-party person or organization, or to describe the proposed method for breaking into the device. The third party may not have approached Apple for many reasons.

In the past, Microsoft’s systems were a more frequent target for malicious-minded hackers, largely because of the prevalence of its products. But as Microsoft began to embrace the hacking community, its security improved.

As Apple’s desktops and mobile phones have gained more market share, and as customers began to entrust more and more of their personal data to their iPhones, Apple products have become far more valuable marks for criminals and spies.

An Apple spokeswoman referred to an editorial by Craig Federighi, the company’s senior vice president for software engineering, in which he wrote, “Security is an endless race — one that you can lead but never decisively win.”

“Our team must work tirelessly to stay one step ahead of criminal attackers who seek to pry into personal information,” Mr. Federighi said. “Despite our best efforts, nothing is 100 percent secure.”

Apple has long been less visible in the security community compared with other tech companies. The company has shied away from bug bounty programs and instead relied on large testing programs and the work of its security team to spot vulnerabilities, partly because it is disinclined to keep up with a financial arms race of paying for bugs, according to three former and current employees, who spoke on the condition of anonymity because they were not authorized to speak publicly about security matters.

Apple has said it will fight to know more about the flaw in the software or hardware that the third party has presented to law enforcement. A senior executive said in a conference call with reporters Tuesday that if the government found the method did not work and tried to force Apple to help break into the phone, Apple would have questions about what was tried, in order to keep its products as secure as possible.

If the third-party method does work, the government may dismiss a court order demanding that Apple weaken its security, but keep the process it used to break into the phone under seal. In that case, Apple would have no way of knowing how the government broke into its software or hardware.

Exploits in Apple’s code have become increasingly coveted over time, especially as its mobile devices have become ubiquitous, with an underground ecosystem of brokers and contractors willing to pay top dollar for them.

Flaws in Apple’s mobile devices can typically fetch $1 million. Last September, a boutique firm in Washington, called Zerodium, which sells flaws to governments and corporations, announced a $1 million bounty for anyone who would turn over an exploit in Apple’s iOS 9 mobile operating system — the same operating system used to power the iPhone used by the San Bernardino shooter. By November, Zerodium said a team of undisclosed hackers had successfully claimed the bounty.

Chaouki Bekrar, the founder of Zerodium, said his company was not the outside party referred to in the government’s court filing on Monday. But Mr. Bekrar added that even if Zerodium had helped the F.B.I., he would not disclose it.

“For every Zerodium, there are a thousand other organizations like Zerodium that are far less vocal about doing what they do and will pay researchers who find this stuff to keep it a secret,” said Casey Ellis, the founder of BugCrowd, a company in San Franciso that helps vendors manage bug bounty programs.

The heated battle between the United States government and Apple over breaking into the iPhone used by the San Bernardino gunman may have inadvertently catalyzed the underground market for Apple code flaws. With the F.B.I. pushing Apple to help unlock the device with a court order and publicizing that it has been unable to get into the iPhone, hackers realized there was a blank check for them if they could accomplish it, said Jon Oberheide, the chief technology officer of Duo Security, a cloud security company.

Some security researchers said no bounty Apple could offer now would match the reward they could expect from the underground market. Apple has waited so long that the black market for its flaws has become extremely lucrative, perhaps making any bug bounty program the company would create seem late to the game.

“Apple can embrace security researchers, or try to facilitate programs that will secure its operating system, but it’s never going to be able to compete with what is going on behind the scenes in the black market,” said Jay Kaplan, a former N.S.A. analyst and co-founder of Synack, a company that deploys hackers to weed out vulnerabilities in clients’ systems. “It’s just not going to happen.”

A version of this article appears in print on , on Page A1 of the New York edition with the headline: Why Hackers Might Help F.B.I. and Not Apple. Order Reprints | Today’s Paper | Subscribe